ABS urged to address cyber security vulnerabilities ahead of 2026 Census

The Australian National Audit Office (ANAO) has conducted an audit of the cyber-readiness of the Australian Bureau of Statistics (ABS) ahead of this year’s Census, advising that the ABS must address key remaining cyber security vulnerabilities by ensuring critical activities will be completed in time.

The 2026 Census, taking place on 11 August, is a significant national event with an anticipated online completion rate of 85%.

According to the ANAO, around one billion cyber attacks were repelled by the ABS during the last Census, which happened in 2021. During the 2016 Census, a distributed denial of service attack (DDoS) caused the online form to be closed and subsequently reopened 40 hours later.

The objective of this audit was to assess the readiness of the ABS’ cyber security arrangements for the 2026 Census. To form a conclusion against the objective, the ANAO adopted the following criterion: has the ABS designed and implemented controls to mitigate cyber security risks related to the 2026 Census?

The audit found that while the ABS had identified and assessed cyber security risks for the 2026 Census, there were shortcomings in the completeness and timeliness of updates that limited the usefulness of reporting to oversight committees.

Assessments of related strategic level and program level cyber security risks were not always consistent, arrangements for assigning responsible officers for risks were not documented and risk owners were not assigned to program level cyber security risks. 

The process for obtaining risk updates was also not documented; prior to July 2025, risk updates were only sought for program risks rated ‘high’ and above, irrespective of whether they were within target residual severity ratings.

Oversight committees were found to be monitoring 2026 Census cyber security risks, but did not receive timely updates on critical cyber security controls.

The audit also found that while the ABS is conducting assurance and testing over cyber security controls through implementation of the 2026 Census Program Assurance Plan, there are gaps in the delivery of some activities being conducted under the plan.

As at March 2026, plans were in place to address known issues, but the ANAO advised that further work is required to identify and address residual vulnerabilities in the ABS ICT environment.

The ANAO made four recommendations to the ABS, the first being to strengthen its Census risk management arrangements by clearly linking strategic and program level risks, particularly where they overlap; documenting the arrangements for assigning responsible officers to risks; and establishing documented processes for the timing and the content of risk updates by responsible officers.

Recommendation two was for the ABS to establish cyber security advisory arrangements early in Census preparation to reduce gaps in risk monitoring and ensure effective mitigation across the breadth of ICT systems supporting the Census.

The third recommendation was for the ABS to comply with the Information Security Manual requirements by ensuring comprehensive architecture documentation is prepared and approved prior to developing ICT systems; and reviewing security architecture documentation annually.

The final recommendation was that ABS needs to ensure that the assessment and mitigation of risks to cyber security readiness stemming from the broader ABS ICT environment, including critical systems hardening requirements, are incorporated into Census ICT frameworks; and
risks identified in audits and review activities are adequately addressed in planning and strategy documents.

The ABS welcomed the recommendations and confirmed its commitment to implementing all recommendations in full as part of its focus on continuous improvement.

"The ABS has adopted a proactive approach, with implementation commencing during the audit period. Actions to address recommendations one and two have been completed, and substantial progress has been made against recommendations three and four. This work ensures the ABS is well positioned and operationally prepared for the 2026 Census," the ABS said.

"The ABS will continue to prioritise these improvements and allocate appropriate resources to support their successful delivery. This commitment extends beyond readiness for the 2026 Census, to also strengthen the quality, efficiency and resilience of future Censuses."